Skip to content
Publish Azure CC Operator

Publish Snapshot Azure CC Operator #132

Sign in to view logs

Publish Snapshot Azure CC Operator

Publish Snapshot Azure CC Operator #132

Workflow file for this run

.github/workflows/publish-azure-cc-enclave-docker.yaml at 61d3c36
name: Publish Azure CC Operator
run-name: ${{ format('Publish {0} Azure CC Operator', inputs.release_type) }}
on:
workflow_dispatch:
inputs:
release_type:
type: choice
description: The type of release
options:
- Snapshot
- Patch
- Minor
- Major
version_number_input:
description: If set, the version number will not be incremented and the given number will be used.
type: string
default: ''
vulnerability_severity:
description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised.
type: choice
options:
- CRITICAL,HIGH
- CRITICAL,HIGH,MEDIUM
- CRITICAL (DO NOT use if JIRA ticket not raised)
workflow_call:
inputs:
release_type:
description: The type of version number to return. Must be one of [Snapshot, Patch, Minor or Major]
required: true
type: string
version_number_input:
description: If set, the version number will not be incremented and the given number will be used.
type: string
default: ''
vulnerability_severity:
description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between).
type: string
default: 'CRITICAL,HIGH'
outputs:
image_tag:
description: The tag used to describe the image in Docker
value: ${{ jobs.buildImage.outputs.image_tag }}
env:
REGISTRY: ghcr.io
MAVEN_PROFILE: azure
ENCLAVE_PROTOCOL: azure-cc
IMAGE_NAME: ${{ github.repository }}
DOCKER_CONTEXT_PATH: scripts/azure-cc
ARTIFACTS_OUTPUT_DIR: ${{ github.workspace }}/deployment-artifacts
MANIFEST_OUTPUT_DIR: ${{ github.workspace }}/manifest
jobs:
buildImage:
name: Build Image
runs-on: ubuntu-latest
permissions:
contents: write
security-events: write
packages: write
id-token: write
pull-requests: write
outputs:
jar_version: ${{ steps.version.outputs.new_version }}
image_tag: ${{ steps.updatePom.outputs.image_tag }}
steps:
- name: Approve Major release
if: inputs.release_type == 'Major'
uses: trstringer/manual-approval@v1
with:
secret: ${{ github.token }}
approvers: thomasm-ttd,atarassov-ttd,cody-constine-ttd
minimum-approvals: 1
issue-title: Creating Major version of UID2-Operator
- name: Check branch and release type
id: checkRelease
uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v2
with:
release_type: ${{ inputs.release_type }}
- name: Show Context
run: |
printenv
echo "$GITHUB_CONTEXT"
shell: bash
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
IS_RELEASE: ${{ steps.checkRelease.outputs.is_release }}
- name: Set up JDK
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '21'
- name: Checkout full history on Main
uses: actions/checkout@v4
if: ${{ inputs.version_number_input == '' }}
with:
# git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout.
fetch-depth: 0
- name: Checkout full history at tag v${{ inputs.version_number_input }}
uses: actions/checkout@v4
if: ${{ inputs.version_number_input != '' }}
with:
ref: v${{ inputs.version_number_input }}
# git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout.
fetch-depth: 0
- name: Restore timestamps
uses: thetradedesk/[email protected]
- name: Set version number
id: version
uses: IABTechLab/uid2-shared-actions/actions/version_number@v2
with:
type: ${{ inputs.release_type }}
version_number: ${{ inputs.version_number_input }}
branch_name: ${{ github.ref }}
- name: Update pom.xml
id: updatePom
run: |
current_version=$(grep -o '<version>.*</version>' pom.xml | head -1 | sed 's/<version>\(.*\)<\/version>/\1/')
new_version=${{ steps.version.outputs.new_version }}
sed -i "0,/$current_version/s/$current_version/$new_version/" pom.xml
echo "Version number updated from $current_version to $new_version"
echo "image_tag=${{ steps.version.outputs.new_version }}-${{ env.ENCLAVE_PROTOCOL }}" >> $GITHUB_OUTPUT
- name: Package JAR
id: package
run: |
mvn -B package -P ${{ env.MAVEN_PROFILE }}
echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT
echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT
cp -r target ${{ env.DOCKER_CONTEXT_PATH }}/
- name: Commit pom.xml and version.json
if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release != 'true' }}
uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v2
with:
add: 'pom.xml version.json'
message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}'
- name: Commit pom.xml, version.json and set tag
if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release == 'true' }}
uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v2
with:
add: 'pom.xml version.json'
message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}'
tag: v${{ steps.version.outputs.new_version }}
- name: Log in to the Docker container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=${{ steps.updatePom.outputs.image_tag }}
- name: Build and export to Docker
uses: docker/build-push-action@v5
with:
context: ${{ env.DOCKER_CONTEXT_PATH }}
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
JAR_VERSION=${{ steps.version.outputs.new_version }}
IMAGE_VERSION=${{ steps.version.outputs.new_version }}
BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }}
- name: Generate Trivy vulnerability scan report
uses: aquasecurity/[email protected]
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: 'sarif'
exit-code: '0'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
output: 'trivy-results.sarif'
hide-progress: true
- name: Upload Trivy scan report to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
- name: Test with Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: ${{ inputs.vulnerability_severity }}
hide-progress: true
- name: Push to Docker
id: push-to-docker
uses: docker/build-push-action@v5
with:
context: ${{ env.DOCKER_CONTEXT_PATH }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
JAR_VERSION=${{ steps.version.outputs.new_version }}
IMAGE_VERSION=${{ steps.version.outputs.new_version }}
- name: uninstall azure-cli
run: |
sudo apt-get remove -y azure-cli
- name: install azure-cli 2.61.0
run: |
sudo apt-get install ca-certificates curl apt-transport-https lsb-release gnupg -y
curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
AZ_REPO=$(lsb_release -cs)
echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
AZ_VER=2.61.0
sudo apt-get update
sudo apt-get install azure-cli=${AZ_VER}-1~${AZ_DIST}
- name: check azure-cli version
run: |
az --version
- name: Modify docker user
shell: bash
run: |
# Required by az confcom
sudo usermod -aG docker ${USER}
- name: Generate Azure deployment artifacts
env:
IMAGE: ${{ steps.meta.outputs.tags }}
OUTPUT_DIR: ${{ env.ARTIFACTS_OUTPUT_DIR }}
MANIFEST_DIR: ${{ env.MANIFEST_OUTPUT_DIR }}
VERSION_NUMBER: ${{ steps.version.outputs.new_version }}
run: |
bash ./scripts/azure-cc/deployment/generate-deployment-artifacts.sh
- name: Upload deployment artifacts
uses: actions/upload-artifact@v4
with:
name: azure-cc-deployment-files-${{ steps.version.outputs.new_version }}
path: ${{ env.ARTIFACTS_OUTPUT_DIR }}
if-no-files-found: error
- name: Upload manifest
uses: actions/upload-artifact@v4
with:
name: azure-cc-enclave-id-${{ steps.version.outputs.new_version }}
path: ${{ env.MANIFEST_OUTPUT_DIR }}
if-no-files-found: error
- name: Generate release archive
if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release == 'true' }}
run: |
zip -j ${{ env.ARTIFACTS_OUTPUT_DIR }}/uid2-operator-deployment-artifacts-${{ steps.meta.outputs.version }}.zip ${{ env.ARTIFACTS_OUTPUT_DIR }}/*
- name: Build changelog
id: github_release
if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release == 'true' }}
uses: mikepenz/release-changelog-builder-action@v4
with:
configurationJson: |
{
"template": "#{{CHANGELOG}}\n## Installation\n```\ndocker pull ${{ steps.meta.outputs.tags }}\n```\n\n## Image reference to deploy: \n```\n${{ steps.updatePom.outputs.image_tag }}\n```\n\n## Changelog\n#{{UNCATEGORIZED}}",
"pr_template": " - #{{TITLE}} - ( PR: ##{{NUMBER}} )"
}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Create release
if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release == 'true' }}
uses: softprops/action-gh-release@v2
with:
name: ${{ steps.version.outputs.new_version }}
body: ${{ steps.github_release.outputs.changelog }}
draft: true
files: |
${{ env.ARTIFACTS_OUTPUT_DIR }}/uid2-operator-deployment-artifacts-${{ steps.version.outputs.new_version }}.zip
${{ env.MANIFEST_OUTPUT_DIR }}/azure-cc-operator-digest-${{ steps.version.outputs.new_version }}.txt
e2e:
name: E2E
uses: ./.github/workflows/run-e2e-tests-on-operator.yaml
needs: buildImage
with:
operator_type: azure
operator_image_version: ${{ needs.buildImage.outputs.image_tag }}
secrets: inherit